How to hide details and stack trace information in the error pages of your Crowd environment

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

In its default configuration, as supplied with Crowd Data Center, Apache Tomcat discloses information such as product version and stack traces.

Some customers may find this level of detail excessive, as it could be flagged in security scans or penetration tests and considered a potential security risk.

Environment

Crowd Data Center 5.1 or newer

Diagnosis

By generating an error such as "page not found", the standard error page in Tomcat looks like this:

(Auto-migrated image: description temporarily unavailable)

In order to generate a "404 - not found" error, just navigate to any non-existent page within the Crowd base URL, such as "<BASEURL/crowd/thispagedoesnotexists"

Other errors might also include Java stack traces, which in turn might provide details such as file system paths, database details, etc.

Cause

Default error reporting configuration on Apache Tomcat might be considered too verbose in some situations.

Solution

To reduce the amount of information reported on errors, we need to modify Tomcat's configuration by adding a new ErrorReportValve directive. Please follow the steps below:

  1. Edit the file <install-directory>/apache-tomcat/conf/server.xml

  2. Search for a parameter starting as

1 "<Host...  " 

3. Just below that line, insert the following parameters:

1 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

4. Save the changes and exit.

5. Restart the application for the changes to take effect.

To verify that the solution is working, try again to access a non-existent page (i.e. http://<BASEURL/crowd/thispagedoesnotexists)

Error pages should now look as follows: only the HTTP error code is returned, with no product version or stack traces.

404-2.png

Updated on April 14, 2025
Platform
Data Center only
Product
Crowd Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community